![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.101 / (download) - annotate - [select for diffs], Sat Mar 2 16:16:07 2024 UTC (3 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.100: +16 -6 lines
Diff to previous 1.100 (colored)
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue. From RFC7383, 2.6.1: "[...] that even MUST only trigger a retransmission of the response message (fragmented or no) if the Fragment Number field in the received fragments is set to 1; otherwise, it MUST be ignored." from markus
Revision 1.100 / (download) - annotate - [select for diffs], Fri Aug 4 19:06:25 2023 UTC (10 months, 1 week ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.99: +12 -11 lines
Diff to previous 1.99 (colored)
Convert calls to ibuf_length() where it is clear that the ibuf is not NULL to ibuf_size(). In some cases it is clear that the ibuf pointer should just be checked for NULL since afterwards a new ibuf is allocated in its place. OK tb@
Revision 1.99 / (download) - annotate - [select for diffs], Fri Jul 28 11:23:03 2023 UTC (10 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.98: +9 -9 lines
Diff to previous 1.98 (colored)
Implement print_hexbuf() to hexdump the contents of an ibuf. OK tb@
Revision 1.98 / (download) - annotate - [select for diffs], Fri Jul 28 07:31:38 2023 UTC (10 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.97: +8 -7 lines
Diff to previous 1.97 (colored)
Use ibuf_data() instead of accessing the ibuf buf pointer directly. Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate. OK tobhe@ tb@
Revision 1.97 / (download) - annotate - [select for diffs], Tue Jul 18 15:07:41 2023 UTC (10 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.96: +5 -5 lines
Diff to previous 1.96 (colored)
Kill ibuf_cat() since there is now ibuf_add_buf() in the official API. OK tb@ tobhe@
Revision 1.96 / (download) - annotate - [select for diffs], Wed Jun 28 14:10:24 2023 UTC (11 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.95: +6 -1 lines
Diff to previous 1.95 (colored)
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert(). From markus@
Revision 1.95 / (download) - annotate - [select for diffs], Tue Jun 13 12:34:12 2023 UTC (11 months, 4 weeks ago) by tb
Branch: MAIN
Changes since 1.94: +7 -7 lines
Diff to previous 1.94 (colored)
iked: introduce and use print_addr() The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length. Cast and useless arguments lead to awkward line wrapping in many places. Clean this up by introducing a helper. Make this helper take a void pointer, so all casts go away. ok claudio kn tobhe
Revision 1.94 / (download) - annotate - [select for diffs], Tue Jun 6 13:27:49 2023 UTC (12 months ago) by claudio
Branch: MAIN
Changes since 1.93: +3 -3 lines
Diff to previous 1.93 (colored)
Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is the same in these cases. OK tb@
Revision 1.93 / (download) - annotate - [select for diffs], Tue May 30 08:41:15 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.92: +10 -2 lines
Diff to previous 1.92 (colored)
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to msg_data (which is another footgun to disarm at some point). OK tb@
Revision 1.92 / (download) - annotate - [select for diffs], Tue May 23 13:57:14 2023 UTC (12 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.91: +5 -5 lines
Diff to previous 1.91 (colored)
Replace ibuf_advance() with ibuf_reserve(). OK tobhe@ tb@ kn@
Revision 1.91 / (download) - annotate - [select for diffs], Tue May 23 13:12:19 2023 UTC (12 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.90: +29 -29 lines
Diff to previous 1.90 (colored)
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
Revision 1.90 / (download) - annotate - [select for diffs], Tue Dec 6 09:07:33 2022 UTC (18 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.89: +2 -2 lines
Diff to previous 1.89 (colored)
Print size_t with %zu. ok patrick@
Revision 1.89 / (download) - annotate - [select for diffs], Sat Dec 3 21:02:27 2022 UTC (18 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.88: +2 -1 lines
Diff to previous 1.88 (colored)
Include endian.h where needed for betohXX functions.
Revision 1.88 / (download) - annotate - [select for diffs], Fri Nov 11 16:17:16 2022 UTC (19 months ago) by mbuhl
Branch: MAIN
Changes since 1.87: +3 -2 lines
Diff to previous 1.87 (colored)
In case of an invalid SA resp is passed to ikev2_msg_cleanup without initialization where the msg_parent field is accessed. ok tobhe
Revision 1.87 / (download) - annotate - [select for diffs], Wed Sep 21 22:32:11 2022 UTC (20 months, 2 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)
Distinguish between retransmit ok and nothing to retransmit. This makes sure ikes_retransmit_response events don't also increase the ikes_msg_rcvd_busy counter. ok markus@
Revision 1.86 / (download) - annotate - [select for diffs], Mon Sep 19 20:54:02 2022 UTC (20 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.85: +12 -2 lines
Diff to previous 1.85 (colored)
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'. ok bluhm@ patrick@ from and ok markus@
Revision 1.85 / (download) - annotate - [select for diffs], Mon Mar 14 12:58:55 2022 UTC (2 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.84: +114 -97 lines
Diff to previous 1.84 (colored)
Improve retransmission of message fragments. RFC 7383 states that loss of a single fragment results in a retransmit of all fragments belonging to the same message. Instead of treating each fragment as message with seperate retransmit timer, keep only a single timer for all fragments of a message and retransmit all fragments in order on timeout. Improves reliability in case of packet loss when fragmentation is enabled. Found by and diff from Daniel Herzinger ok patrick@
Revision 1.84 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:13 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.83: +5 -5 lines
Diff to previous 1.83 (colored)
whitespace cleanup during review read
Revision 1.83 / (download) - annotate - [select for diffs], Mon Nov 29 06:43:42 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.82: +5 -5 lines
Diff to previous 1.82 (colored)
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
Revision 1.82 / (download) - annotate - [select for diffs], Sat Nov 27 21:50:05 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.81: +3 -3 lines
Diff to previous 1.81 (colored)
Rename msg_id to msg_peerid now that we also have msg_localid. ok patrick@
Revision 1.81 / (download) - annotate - [select for diffs], Fri Nov 26 16:22:44 2021 UTC (2 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.80: +3 -1 lines
Diff to previous 1.80 (colored)
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup. ok tobhe@
Revision 1.80 / (download) - annotate - [select for diffs], Tue Sep 7 14:06:23 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.79: +7 -3 lines
Diff to previous 1.79 (colored)
Fix leak of m if message initialization fails. ok markus@
Revision 1.79 / (download) - annotate - [select for diffs], Thu Sep 2 19:28:35 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.78: +4 -4 lines
Diff to previous 1.78 (colored)
style
Revision 1.78 / (download) - annotate - [select for diffs], Wed Sep 1 15:30:06 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.77: +3 -1 lines
Diff to previous 1.77 (colored)
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
Revision 1.77 / (download) - annotate - [select for diffs], Thu Oct 29 21:49:58 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.76: +5 -1 lines
Diff to previous 1.76 (colored)
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
Revision 1.76 / (download) - annotate - [select for diffs], Fri Oct 9 08:59:16 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.75: +1 -2 lines
Diff to previous 1.75 (colored)
More unused headers.
Revision 1.75 / (download) - annotate - [select for diffs], Fri Oct 9 08:54:24 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.74: +1 -2 lines
Diff to previous 1.74 (colored)
Remove unused "wait.h" includes.
Revision 1.74 / (download) - annotate - [select for diffs], Tue Oct 6 19:06:06 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.73: +7 -4 lines
Diff to previous 1.73 (colored)
Always allocate hash_keylength() for buffers passed to hash_final() to make sure there is enough space for the non truncated hash output.
Revision 1.73 / (download) - annotate - [select for diffs], Sat Oct 3 20:23:08 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.72: +3 -1 lines
Diff to previous 1.72 (colored)
React to DELETE notifications only in INFORMATIONAL messages and move the logic closer to the other INFORMATIONAL payloads. Add some more sanity checks while we're at it. ok patrick@
Revision 1.72 / (download) - annotate - [select for diffs], Sat Sep 26 16:20:36 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.71: +3 -1 lines
Diff to previous 1.71 (colored)
Cleanup msg_eap in ikev2_msg_cleanup().
Revision 1.71 / (download) - annotate - [select for diffs], Sat Aug 15 11:31:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.70: +2 -3 lines
Diff to previous 1.70 (colored)
Remove dead assignments.
Revision 1.70 / (download) - annotate - [select for diffs], Tue Aug 11 20:51:06 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.69: +4 -4 lines
Diff to previous 1.69 (colored)
Prioritize incoming certificate requests by the order of CERTEQ payloads in the received message. ok patrick@
Revision 1.69 / (download) - annotate - [select for diffs], Wed Jul 8 21:35:35 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.68: +1 -3 lines
Diff to previous 1.68 (colored)
Always try to retransmit on sendtofrom() errors to ensure the SA is properly cleaned up in ikev2_msg_retransmit_timeout(). ok patrick@
Revision 1.68 / (download) - annotate - [select for diffs], Tue May 26 20:24:31 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.67: +146 -47 lines
Diff to previous 1.67 (colored)
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
Revision 1.67 / (download) - annotate - [select for diffs], Thu May 14 15:08:30 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.66: +19 -7 lines
Diff to previous 1.66 (colored)
Stricter return value checking for EVP_Cipher* calls. ok patrick@
Revision 1.66 / (download) - annotate - [select for diffs], Fri Apr 24 21:15:05 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.65: +4 -2 lines
Diff to previous 1.65 (colored)
Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful for debugging and fill up the logs. ok patrick@ kn@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Apr 17 20:54:23 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.64: +15 -2 lines
Diff to previous 1.64 (colored)
Log retransmits of sent requests and responses. ok markus@
Revision 1.64 / (download) - annotate - [select for diffs], Tue Mar 10 09:42:40 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.63: +1 -67 lines
Diff to previous 1.63 (colored)
Delete dead code in ikev2_msg_valid_ike_sa(). ok markus@
Revision 1.63 / (download) - annotate - [select for diffs], Tue Mar 10 09:35:21 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.62: +3 -3 lines
Diff to previous 1.62 (colored)
Make sure 'e' is NULL initialized to prevent nullptr dereference in ibuf_release(). ok gerhard@
Revision 1.62 / (download) - annotate - [select for diffs], Wed Jan 22 07:52:37 2020 UTC (4 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.61: +2 -2 lines
Diff to previous 1.61 (colored)
delete wasteful ;; ok tedu
Revision 1.61 / (download) - annotate - [select for diffs], Thu Jan 16 20:05:00 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored)
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited. ok sthen@
Revision 1.60 / (download) - annotate - [select for diffs], Thu Nov 28 12:16:28 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.59: +9 -1 lines
Diff to previous 1.59 (colored)
Move Notify and Certreq payload handlers after the parser. Modify SA state only when the full message was parsed successfully. ok patrick@, "that's working for me" - sthen@
Revision 1.59 / (download) - annotate - [select for diffs], Fri Nov 15 13:55:13 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.58: +12 -11 lines
Diff to previous 1.58 (colored)
Fix error handling in ikev2_msg_send. Check sa is not NULL before using it. Use sa consistently instead of mixing sa and msg->msg_sa. In the error case, if sa is not NULL, save the message for retransmission and return 0 instead of -1. ok mikeb@
Revision 1.58 / (download) - annotate - [select for diffs], Wed Nov 13 12:24:40 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.57: +3 -1 lines
Diff to previous 1.57 (colored)
Log reason whenever a child SA is freed. This makes it easier to distinguish "valid" reasons to close an SA, such as rekeying, from errors. ok sthen@
Revision 1.57 / (download) - annotate - [select for diffs], Mon Nov 11 15:10:39 2019 UTC (4 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.56: +36 -1 lines
Diff to previous 1.56 (colored)
Cleanup message retransmission handling with new helper functions. ok patrick@
Revision 1.56 / (download) - annotate - [select for diffs], Mon Aug 12 07:40:45 2019 UTC (4 years, 10 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.55: +6 -5 lines
Diff to previous 1.55 (colored)
Prepend SPI to send and recv log messages to see which line belongs to which SA. Use IKE specific terms peer and local instead of to and from. ok reyk@ patrick@
Revision 1.55 / (download) - annotate - [select for diffs], Sat May 11 16:30:23 2019 UTC (5 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.54: +150 -2 lines
Diff to previous 1.54 (colored)
Add support for IKEv2 Message Fragmentation as defined in RFC 7383. ok sthen@
Revision 1.54 / (download) - annotate - [select for diffs], Fri May 10 15:02:17 2019 UTC (5 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
Enforce messages after IKE_SA_INIT exchange to contain only encrypted payloads. Also increment message id only for valid messages. From Tobias Heider ok sthen@
Revision 1.53 / (download) - annotate - [select for diffs], Mon Nov 27 18:39:35 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.52: +3 -1 lines
Diff to previous 1.52 (colored)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
Revision 1.52 / (download) - annotate - [select for diffs], Wed Apr 26 10:42:38 2017 UTC (7 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.51: +9 -1 lines
Diff to previous 1.51 (colored)
cope with IP address changes. before, we were trying to resend the msg with the no-longer-available address over and over and over, requiring iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule SA deletion so a new one is set up shortly thereafter. ok reyk mikeb
Revision 1.51 / (download) - annotate - [select for diffs], Mon Mar 27 10:21:19 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.50: +4 -1 lines
Diff to previous 1.50 (colored)
Add support to reflect the responder IKEv2 COOKIE. This fixes connecting to Azure VPN and other implementations that implement the IKEv2 COOKIE mechanism on the responder side. Azure decides to send you a responder COOKIE after too many connection attempts - we have to keep it and reflect it to establish a connection. This implementation is only for the initiator (client) side, we do not support sending COOKIEs on the responder (server) side yet. OK patrick@ mikeb@
Revision 1.50 / (download) - annotate - [select for diffs], Mon Mar 27 10:06:41 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.49: +11 -4 lines
Diff to previous 1.49 (colored)
Add support for RFC4754 (ECDSA) and RFC7427 authentication. These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes. Original diff from markus@ with patches from mikeb@ and me. OK mikeb@ patrick@
Revision 1.49 / (download) - annotate - [select for diffs], Mon Mar 13 17:41:14 2017 UTC (7 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.48: +1 -2 lines
Diff to previous 1.48 (colored)
NAT-T improvements Move repeated creation of the NAT-T payload into a function, remove erroneous msg_offset, and improve NAT-T handling. From and OK markus, OK mikeb
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jan 20 14:09:00 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.47: +6 -1 lines
Diff to previous 1.47 (colored)
Reset various pointers in ikev2_msg_cleanup From and OK markus@, OK reyk
Revision 1.47 / (download) - annotate - [select for diffs], Fri Jan 20 13:58:05 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.46: +3 -1 lines
Diff to previous 1.46 (colored)
Closed SAs should never be treated as valid From and OK markus@, OK reyk
Revision 1.46 / (download) - annotate - [select for diffs], Sun Sep 4 10:26:02 2016 UTC (7 years, 9 months ago) by vgross
Branch: MAIN
Changes since 1.45: +15 -12 lines
Diff to previous 1.45 (colored)
Now that we have IP_SENDSRCADDR, add sendtofrom(). Ok jca@ and reyk@
Revision 1.45 / (download) - annotate - [select for diffs], Mon Oct 19 11:25:35 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.44: +34 -15 lines
Diff to previous 1.44 (colored)
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs. OK mikeb@
Revision 1.44 / (download) - annotate - [select for diffs], Thu Oct 15 18:40:38 2015 UTC (8 years, 7 months ago) by mmcc
Branch: MAIN
Changes since 1.43: +3 -5 lines
Diff to previous 1.43 (colored)
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero(). ok mikeb@
Revision 1.43 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:27 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.42: +17 -17 lines
Diff to previous 1.42 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.42 / (download) - annotate - [select for diffs], Thu Mar 26 19:52:35 2015 UTC (9 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
initial support for RFC 7427 signatures, so we are no longer restricted to SHA1 for RSA signatures. ok mikeb@
Revision 1.41 / (download) - annotate - [select for diffs], Sun Feb 15 01:56:42 2015 UTC (9 years, 3 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
convert bcmp to memcmp ok doug millert miod
Revision 1.40 / (download) - annotate - [select for diffs], Fri Feb 6 10:39:01 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.39: +1 -2 lines
Diff to previous 1.39 (colored)
unneeded getopt.h
Revision 1.39 / (download) - annotate - [select for diffs], Mon Jan 19 14:42:42 2015 UTC (9 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.38: +1 -2 lines
Diff to previous 1.38 (colored)
Remove unnecessary <netinet/ip_ipsp.h> includes
Revision 1.38 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.37 / (download) - annotate - [select for diffs], Fri Nov 7 14:02:32 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.36: +1 -5 lines
Diff to previous 1.36 (colored)
Repair initiator with PSK auth Attempt state transition to VALID (or EAP_VALID) in the ikev2_ike_auth after we have completed authentication synchronously (PSK) or asynchronously (X.509 and RSA) eliminating the need to do so in multiple places and restoring the correct order for PSK. ok markus
Revision 1.36 / (download) - annotate - [select for diffs], Mon Aug 25 07:50:25 2014 UTC (9 years, 9 months ago) by doug
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
Delete secret or secret-derived data with explicit_bzero. concept ok deraadt@ diff looks ok tedu@
Revision 1.35 / (download) - annotate - [select for diffs], Wed May 7 13:04:01 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.34: +6 -3 lines
Diff to previous 1.34 (colored)
print msgid for debugging; ok reyk & mikeb
Revision 1.34 / (download) - annotate - [select for diffs], Tue May 6 10:24:22 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.33: +16 -2 lines
Diff to previous 1.33 (colored)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
Revision 1.33 / (download) - annotate - [select for diffs], Mon May 5 16:14:37 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.32: +1 -2 lines
Diff to previous 1.32 (colored)
the caller of ikev2_msg_retransmit_response already frees the sa; ok mikeb
Revision 1.32 / (download) - annotate - [select for diffs], Tue Apr 29 11:51:13 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)
make sure the state machine only advances if the AUTH payload has been verified; with & ok mikeb@
Revision 1.31 / (download) - annotate - [select for diffs], Tue Apr 22 12:00:03 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.30: +3 -3 lines
Diff to previous 1.30 (colored)
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit. ok mikeb@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Apr 10 16:08:02 2014 UTC (10 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.29: +7 -4 lines
Diff to previous 1.29 (colored)
Add validation routines to ikev2_pld.c: For each payload type overall header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload or substructure so we can always ensure to not go beyond actual data. Also remove the quick parsing step as it does not provide a real benefit anymore. From Hans-Joerg Hoexer ok mikeb@ markus@
Revision 1.29 / (download) - annotate - [select for diffs], Mon Feb 17 11:00:14 2014 UTC (10 years, 3 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.28: +12 -12 lines
Diff to previous 1.28 (colored)
Fix compiler warnings in the format strings: use %zd for ssize_t and %zu for size_t. From Andre de Oliveira With input and OK from blambert@ markus@
Revision 1.28 / (download) - annotate - [select for diffs], Fri Jan 24 05:58:52 2014 UTC (10 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.27: +8 -10 lines
Diff to previous 1.27 (colored)
use a bit saner timer api
Revision 1.27 / (download) - annotate - [select for diffs], Tue Dec 3 13:55:39 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.26: +5 -4 lines
Diff to previous 1.26 (colored)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Sep 26 13:09:38 2013 UTC (10 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.25: +7 -4 lines
Diff to previous 1.25 (colored)
After some manipulations with the buffer, ike message header (hdr) might no longer point to the same memory as before. The bug was reported and fix was tested by LEVAI Daniel. Thanks!
Revision 1.25 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.24: +1 -2 lines
Diff to previous 1.24 (colored)
remove excessive includes
Revision 1.24 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.23: +2 -3 lines
Diff to previous 1.23 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.23 / (download) - annotate - [select for diffs], Sat Dec 15 23:20:17 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.22: +8 -14 lines
Diff to previous 1.22 (colored)
Remove unused variables.
Revision 1.22 / (download) - annotate - [select for diffs], Mon Oct 22 10:25:17 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.21: +16 -9 lines
Diff to previous 1.21 (colored)
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500. Tested by mikeb@ and me ok mikeb@
Revision 1.21 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jun 27 15:36:36 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.19: +1 -2 lines
Diff to previous 1.19 (colored)
leftover code re-enqueued the same item on the list multiple times
Revision 1.19 / (download) - annotate - [select for diffs], Wed Jun 27 14:03:50 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored)
prevent an endless loop
Revision 1.18 / (download) - annotate - [select for diffs], Tue Jun 26 11:09:10 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.17: +12 -10 lines
Diff to previous 1.17 (colored)
improve ikev2_msg_retransmit_timeout
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 26 11:00:28 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.16: +7 -14 lines
Diff to previous 1.16 (colored)
compare exchange types as well when looking up a message; proceed with a response only when the appropriate request is found.
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jun 22 16:28:20 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.15: +163 -17 lines
Diff to previous 1.15 (colored)
Add initial support for retransmition timeouts and response retries. This should still be considered an experimental work in progress.
Revision 1.15 / (download) - annotate - [select for diffs], Wed May 30 09:18:14 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.14: +9 -5 lines
Diff to previous 1.14 (colored)
pass a file descriptor in the msg_fd instead of a function argument
Revision 1.14 / (download) - annotate - [select for diffs], Thu May 24 14:41:36 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.13: +8 -5 lines
Diff to previous 1.13 (colored)
don't increment the next expected message id when sending a response back. while it might look like a step backwards, this fixes up eap negotiation and bigger changes to this code are in the pipe anyways.
Revision 1.13 / (download) - annotate - [select for diffs], Mon May 7 10:58:38 2012 UTC (12 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Sync up several defines with RFC 5996. IANA has changed the existing IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).
Revision 1.12 / (download) - annotate - [select for diffs], Mon May 9 11:15:18 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
Revision 1.11 / (download) - annotate - [select for diffs], Fri Jan 21 12:37:28 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.10: +14 -9 lines
Diff to previous 1.10 (colored)
handle empty encrypted payloads (might happen with some informationals) ok mikeb@
Revision 1.10 / (download) - annotate - [select for diffs], Fri Jan 21 11:56:00 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.9: +3 -3 lines
Diff to previous 1.9 (colored)
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
Revision 1.9 / (download) - annotate - [select for diffs], Wed Dec 22 16:22:27 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.8: +6 -7 lines
Diff to previous 1.8 (colored)
child sa rekeying revamp plus numerous bugfixes; with suggestions and OK from reyk
Revision 1.8 / (download) - annotate - [select for diffs], Thu Sep 30 10:34:56 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.7: +3 -17 lines
Diff to previous 1.7 (colored)
disable padding correctly. therefore we no longer need to supply additional space in the buffer and just pad input length up to the block size. finalization is not needed for properly padded data. kills a bunch of XXX's and an annoying error from openssl. also, check a result from CipherUpdate while here. ok reyk
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jun 27 01:03:22 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.6: +15 -4 lines
Diff to previous 1.6 (colored)
Instead of modifying and fiddling with the IKE SA in the payload parsing routines directly, first parse the message and save the parsed elements in the temporary message struct before validating the information and taking any other actions on the actual SA. This needs more testing, but is the cleaner and better approach.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 14 23:23:52 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
check if cert is available and valid
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 14 21:12:56 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.4: +6 -7 lines
Diff to previous 1.4 (colored)
Initial support for initiator mode which allows to run iked as a "client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 14 11:33:55 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.3: +4 -1 lines
Diff to previous 1.3 (colored)
restructure code a bit to move closer to initiator mode: - split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jun 14 08:55:59 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.2: +15 -4 lines
Diff to previous 1.2 (colored)
cleanup messages and parsed information correctly
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 14 08:10:32 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.1: +35 -1 lines
Diff to previous 1.1 (colored)
More code for initiator mode (not finished yet)
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 10 08:29:47 2010 UTC (14 years ago) by reyk
Branch: MAIN
i don't like splitting source code in too many source files but ikev2.c has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better.